Empty AD Group

LOW
Note: This indicator is in Early Access.

Description

While having an empty group may not always be "bad practice," its appropriateness depends on the specific use case and organizational requirements. Nevertheless, there are potential considerations and reasons to exercise caution or avoid empty groups:

  1. Confusion: Teams may find it time-consuming to discern the purpose of an empty group.
  2. Security implications: Depending on its purpose, the group can apply forgotten permissions to users without proper supervision at any time.
  3. Policy compliance: The group may flag issues during compliance audits.
  4. Unused resources: Cleaning up this type of resource is essential to save management time. Specific scenarios may justify the existence of empty groups, such as placeholders for future use or within a broader role-based access control (RBAC) strategy.

Solution

To reduce confusion, security implications, policy compliance, and unused resources, empty groups must be either:

  • Used for at least two members.
  • Deleted

Indicator Details

Name: Empty AD Group

Codename: EMPTY-GROUP-AD

Severity: Low